Update 2: Threat Response – Zero-day vulnerabilities in Microsoft Exchange

06-10-2022

A SAFE DIGITAL JOURNEY

On Friday, September 30th two zero-day vulnerabilities in the Microsoft Exchange Server 2013, 2016, and 2019 were identified [1][3]. Northwave has informed you of this in two previous Threat Responses. In our last Threat Response we informed you about an improved mitigation, since the initial mitigation could by bypassed[2]. However, more bypasses are discovered in the meantime, resulting in another update of the recommended mitigation.

Mitigation

Microsoft has updated their workaround, instructing to update both the blocking pattern as the condition. If you already applied the earlier mentioned blocking rule, please remove the old rule and apply the new rule. If you did not apply any workarounds yet please apply the following:

  • Add a blocking rule [1] in in your Exchange Server to block the known attack pattern: “.*autodiscover\.json.*Powershell.*” in the {UrlDecode:{REQUEST_URI}} field.
  • Block Remote PowerShell access to prevent authenticated attackers from abusing the second Remote Code Execution vulnerability (CVE-2022-41082) [1].

What will Northwave do?

For EDRS customers with Defender for Endpoint, Northwave has already implemented monitoring use cases to detect web-shell activity on Exchange IIS servers. For EDRS customers with ESET, post-exploitation activities will be detected and blocked by ESET. For IDRS customers with Microsoft Sentinel, Northwave has implemented a use case based on Windows Security Events to detect the web shell activity. Furthermore, for customers with the Northwave NIDS setup, network traffic monitoring for possible exploitation signatures has been implemented.

We will reach out to you again if there are important updates, including if the threat posed by this activity increases. If you have any questions or require any additional information please reach out to us by phone or email.

E-mail: [email protected] Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909

Disclaimer applies, see below.

Sources

[1]: https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/

[2]: https://www.bleepingcomputer.com/news/security/microsoft-exchange-server-zero-day-mitigation-can-be-bypassed/

[3]: https://advisories.ncsc.nl/advisory?id=NCSC-2022-0610

 

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.